Call it hack back, active defense, or incident response, the fact remains that organizations are looking for ways to contain the damage after a breach without running afoul of the law. Legal hack back via MazeHunter is more than traditional incident response because the organization can run a payload on the infected machine to engage with the attacker even before the forensics part of the investigation is complete, Evron said.
Joe Stewart, a security researcher with Cymmetria, said MazeHunter automates incident response. Traditional incident response involves finding the compromised machine, taking it offline or creating an image of the machine, and then performing forensics on the machine. “By then, the attacker is gone and you’ve lost the opportunity to stop the attacker,” Stewart said. MazeHunter speeds up response, “to get on the machine quickly, get the payload before they delete it.”
The idea for legal hack back came after two Cymmetria customers, a major financial services firm and telecommunications firm, asked the company about how they could target the attackers who had compromised machines in their networks. The customers wanted to be more proactive and disrupt operations before the attackers could cause any more damage, Evron said.
Understanding the law
The restriction on hacking back isn’t on the tools or the actual techniques. Defenders and attackers use the same tools, such as nmap to map the network, Metasploit to find vulnerable systems, or PowerShell to execute code. It’s fine for the security team to defend the network by monitoring traffic patterns and encrypting data but not okay for attackers to perform those same activities. The challenge is knowing where it is permitted to perform those activities, and where it isn’t, and that is why organizations interested in legal hack back need to look at the framework.
“The framework is critical because it clarifies and categorizes what organizations can or cannot do,” said Jim Christy, Cymmetria’s vice president of investigations and digital forensics, and former U.S. government computer forensics expert. “It’s not immediately obvious.”
There are legal and policy limitations on what security teams can do when investigating a security incident and containing the damage. When it comes to properly determining what kind of actions are allowed, organizations can’t just look at domestic laws. They have to consider international treaties, state and local regulations, contracts with third-party suppliers, and their own corporate policies. The legal framework gives security teams a starting point to discuss with the legal team what kind of techniques and tools would be legitimate under the organization’s legal and policy constraints, along with its risk profile.
“The framework gives security teams suggestions for legal teams to create the appropriate boundaries,” Evron said. “We are moving from ‘No way!’ to well, some activities are allowed. The framework lets you find out what [laws] applies to you.”
Sign up for CIO Asia eNewsletters.